PCI DSS v4.0 – Five changes you need to know

1. Enhanced focus on vulnerability management

PCI DSS v3.2.1 contained many different requirements to ensure that organizations were properly identifying and remediating vulnerabilities. These could be threats found from vulnerability scans or penetration tests.

Instead of simply detecting and fixing critical and high-risk vulnerabilities, PCI DSS v4.0 requirement 11.3.1.1.a now mandates that organizations periodically address all other vulnerabilities (such as medium, low or informational risks). This change is designed to address the fact that all vulnerabilities, regardless of their criticality, are potential attack vectors and should be managed effectively.

It is common for modern cyber attacks to use ‘vulnerability chaining’, which is where an attacker will leverage multiple vulnerabilities to gain access to a system or network, rather than a single exploit on its own. The update to this requirement addresses the importance of prioritizing and remediating all vulnerabilities to prevent such attacks.

2. Additional malware and phishing controls

PCI DSS v4.0 introduced a range of additional sub-requirements related to the protection of systems and networks from malware. For example, 5.3.3 is a new addition that requires organizations to use an anti-malware solution to automatically scan removable media such as USB sticks when they are connected or logically mounted.

5.4.1 is another new sub-requirement that is designed to help protect staff from phishing attacks, stating the need to “train personnel to recognize and report phishing emails”, as well as deploy anti-phishing mechanisms to detect and block attacks. This sub-requirement aims to ensure that malicious emails are identified and handled effectively, thus reducing the chances of malware being deployed via phishing attacks.

3. Improved security awareness training

PCI DSS Requirement 12.6 mandates that security awareness education should be an ongoing activity. While PCI DSS v3.2.1 did already have this requirement, v4.0 has introduced additional sub-requirements that provide specific details about how this should be implemented.

For example, 12.6.2 now states that organizations must review their security awareness training program at least once every 12 months, and it should be continually updated to address any new threats or vulnerabilities that could affect the cardholder data environment (CDE).

Sub-requirement 12.6.3 also now incorporates much more detail about the content of the security awareness training itself. PCI DSS v3.2.1 already mandated that users should be training upon hire and at least annually, however v4.0 specifically now requires this training program to include information about new vulnerabilities, phishing attacks, social engineering and the acceptable use of end-user technologies.

These are welcome changes to PCI DSS, as it is important to ensure your staff are always your best first line of defense. The additional requirements and alterations to existing guidance can help your business to build a robust training program that keeps your staff and cardholder data protected from existing and new threats.

4. Stronger authentication measures

Authentication and authorization mechanisms play a crucial role in preventing unauthorized access to sensitive data. One way of achieving this is with multi-factor authentication (MFA), which was not referenced in PCI DSS v3.2.1.

PCI DSS v4.0 places greater emphasis on stronger authentication controls and specifically introduces new requirements for implementing MFA. Requirement 8.4 in PCI DSS v4.0 mandates the use of MFA for all access to the CDE and 8.5.1 requires businesses to implement MFA systems properly. Both of these requirements will help organizations prevent unauthorized access to their systems and protect their cardholder data.

While MFA is not a silver bullet when it comes to securing access to data, when combined with many of the other requirements of PCI DSS it becomes a strong part of a multi-layered security strategy.

5. Different approaches to compliance

For PCI DSS v3.2.1, organizations only had one choice when it came to complying with the requirements – one defined approach with specific wording and set testing criteria. This meant the standard was somewhat inflexible, especially for organizations with bespoke systems or working practices.

PCI DSS v4.0 has addressed this challenge by introducing two different approaches that organizations can choose from to stay compliant:

Defined approach

This approach is the traditional way to comply with PCI DSS, using the exact requirements and testing criteria provided by the PCI SSC. This is a straightforward approach that makes it easy for organizations to follow the security controls outlined in the standard and for assessors to follow defined testing procedures.

This approach is great for organizations that require additional guidance for complying with PCI DSS, especially if they are just starting out on their information security journey or have not been PCI compliant before.

Customized approach

The customized approach was designed to help support “innovation in security practices”, and it enables businesses to have greater flexibility to show how their security controls meet PCI DSS requirements. Instead of needing to drastically adapt their approach simply for the sake of complying with specific wording, it is now possible for organizations to demonstrate how they meet the requirements in other ways, without strictly following the defined approach.

While it was still possible to use Compensating Controls to circumvent any issues, this should be welcome news for businesses that already have a mature information security and risk management program in place. When it comes to testing, if you have a customized approach for any of the PCI DSS requirements your assessor will define tailored testing procedures based on the specific control and its objective.